The Ministry of Electronics and Information Technology (MeitY) released new draft rules for the Digital Personal Data Protection (DPDP) Act on Friday. The proposed regulations will be open for feedback till February 18
The Ministry of Electronics and Information Technology finally released the draft rules for the Digital Personal Data Protection (DPDP) Act this week. For digital India, these rules come after a long wait since the data protection bill was initially introduced in 2022 and was passed in parliament the year after. The proposed regulations will be open for public feedback till next month, February 18 (Tuesday).
From giving out clear information about personal data and its usage to handling children's data, the new regulations include strict guidelines in order to create accountability for data fiduciaries. In simplest terms, data fiduciaries refer to an entity individual that handles data usage, be it for collection, storage, privacy or any other activity. E-commerce platforms, social media and gaming platforms are some examples that fall under this category.
The draft rules have used the term 'significant data fiduciaries' for those entities that process massive volumes of sensitive data. Their processing activities can often raise broader social and national concerns.
Data fiduciaries must notify data principals (individuals whose personal data is being processed) about the processing of their personal data in clear and simple language. They would now have to present details such as the purpose of data processing alongside the mechanism to withdraw consent. As a major highlight of this rule, the process for withdrawing consent must be made as easy as providing consent.
This will bring-in more transparency for users, especially the not-so-digital savvy cohort who often find consent-related information complicated.
Besides data fiduciaries, consent managers are also present in the digital space, who act as independent third parties and are not involved in the data processing activity. They handle the management of consent given by data principals. As per the new rules, consent managers need to get themselves registered and provide all the necessary details as specified by the board.
In case of non-adherence, action will be taken against them, which can even lead to the suspension of their registration in order to protect the interest of the people.
This will eventually give people more confidence when faced with digital adversaries/ criminal activities.
Under the proposed rules, a special leeway is given to states for the processing of personal data. However, such leeway will only be provided when states have to give "subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds."
Plus, states would also have to follow the standards outlined in the Second Schedule, wherein the "processing (of user data) is carried out in a lawful manner."
While the generation of fresh user data will be constant, data fiduciaries must take reasonable security safeguards to protect existing data (already in possession) by taking security steps like encryption and masking (hiding data in such a way that brings no-value to intruders).
Fiduciaries must also control who all can access and handle the data. In case the data is lost or damaged, a backup plan should be present. Also, logs and data that help detect and fix breaches must be kept for at least one year, unless a law requires a different period.
According to the proposed regulations, special provisions will be made to ensure parental consent for processing children's data. This will be verified through mechanisms like digital lockers.
"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child," the draft rule read.
Besides all this, the new draft rules also include special compliances for the transfer of data outside India, the right to file complaints against fiduciaries, the role of the board, annual assessment and an audit of fiduciaries, among other things. One notable regulation mentioned in the draft paper is that personal data processed for research or statistical purposes is exempt from certain provisions.
All these regulations will bring more transparency to the much complicated digital sphere at a time when people are increasingly facing wrongdoings and unlawful activities related to data usage.